From a5d4c6553317d9e5a25c47e9417f2ba5baabab41 Mon Sep 17 00:00:00 2001
From: Trammell Hudson <hudson@trmm.net>
Date: Thu, 4 May 2017 11:18:50 -0400
Subject: [PATCH] use SHA256 digest on signatures to avoid SHA1 collision
 attacks (issue #120)

---
 initrd/bin/qubes-update | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/initrd/bin/qubes-update b/initrd/bin/qubes-update
index 0b259a0c..d129cc0c 100755
--- a/initrd/bin/qubes-update
+++ b/initrd/bin/qubes-update
@@ -70,7 +70,12 @@ sha256sum \
 | tee "$BOOT_HASHES"
 
 for tries in 1 2 3; do
-	if gpg --detach-sign -a "$BOOT_HASHES"; then
+	if gpg \
+		--digest-algo SHA256 \
+		--detach-sign \
+		-a \
+		"$BOOT_HASHES" \
+	; then
 		mount -o ro,remount /boot
 		exit 0
 	fi